Archivi categoria: Azure Networking

Azure IaaS and Azure Stack: announcements and updates (September 2022 – Weeks: 35 and 36)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Azure Virtual Machines with Ampere Altra Arm–based processors

Microsoft is announcing the general availability of the latest Azure Virtual Machines featuring the Ampere Altra Arm–based processor. The new virtual machines will be generally available on September 1, and customers can now launch them in 10 Azure regions and multiple availability zones around the world. In addition, the Arm-based virtual machines can be included in Kubernetes clusters managed using Azure Kubernetes Service (AKS). This ability has been in preview and will be generally available over the coming weeks in all the regions that offer the new virtual machines.


Prevent a lifecycle management policy from archiving recently rehydrated blobs

Azure Storage lifecycle management offers a rule-based policy that you can use to transition blob data to the appropriate access tiers or to expire data at the end of the data lifecycle. You can configure rules to move a blob to archive tier based on last modified condition. If you rehydrate a blob by changing its tier, this rule may move the blob back to the archive tier. This can happen if the last modified time is beyond the threshold set for the policy. Now you can add a new condition, daysAfterLastTierChangeGreaterThan, in your rules, to skip the archiving action if the blobs are newly rehydrated.

Encrypt storage account with cross-tenant customer-managed keys (preview)

The ability to encrypt storage account with customer-managed keys (CMK) using an Azure Key Vault hosted on a different Azure Active Directory tenant is available in preview. You can use this solution to encrypt your customers’ data using an encryption key managed by your customers.

Ephemeral OS disks supports host-based encryption using customer managed key

Ephemeral OS disk customers can choose encryption type between platform managed keys or customer managed keys for host-based encryption. The default is platform managed keys. This feature would enable our customers to meet organization’s compliance needs.

Resource instance rules for access to Azure Storage

Resource instance rules enable secure connectivity to a storage account by restricting access to specific resources of select Azure services.
Azure Storage provides a layered security model that enables you to secure and control access to your storage account. You can configure network access rules to limit access to your storage account from select virtual networks or IP address ranges. Some Azure services operate on multi-tenant infrastructure, so resources of these services cannot be isolated to a specific virtual network.
With resource instance rules, you can now configure your storage account to only allow access from specific resource instances of such Azure services. For example, Azure Synapse offers analytic capabilities that cannot be deployed into a virtual network. If your Synapse workspace uses such capabilities, you can configure a resource instance rule on a secured storage account to only allow traffic from that Synapse workspace.
Resource instances must be in the same tenant as your storage account, but they may belong to any resource group or subscription in the tenant.


ExpressRoute IPv6 Support for Global Reach

IPv6 support for Global Reach unlocks connectivity between on-premise networks, via the Microsoft backbone, for customers with dual-stack workloads. Establish Global Reach connections between ExpressRoute circuits using IPv4 subnets, IPv6 subnets, or both. This configuration can be done using Azure Portal, PowerShell, or CLI.

Azure IaaS and Azure Stack: announcements and updates (August 2022 – Weeks: 33 and 34)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Azure VMware Solution now in Sweden Central

Azure VMware Solution empowers you to seamlessly extend or migrate your existing on-premises VMware workloads to Azure without the cost, effort, or risk of re-architecting applications or retooling operations. With this update Azure VMware Solution has now expanded availability to the Sweden Central Azure region.

Azure VMware Solution: public IP capability

Most customer applications running on Azure VMware Solution require internet access. These applications require both outbound and inbound internet connectivity. Azure VMware Solution Public IP is a simplified and scalable solution for running these applications. With this capability, Microsoft enables the following:

  • Direct inbound and outbound internet access for AVS to the NSX-T Edge.
  • The ability to receive up to 1000 or more Public IPs.
  • DDoS Security protection against network traffic in and out of the internet.
  • Enable support for VMware HCX (migration tool for VMwre VMs) over the public internet.

UAE North Availability Zones

Availability Zones in UAE North are made up of three unique physically separated locations or “zones” within a single region to bring higher availability and asynchronous replication across Azure regions for disaster recovery protection.


Private endpoint network security group support

Private endpoint support for network security groups (NSGs) is now generally available. This feature enhancement provides you with the ability to enable advanced security controls on traffic destined to a private endpoint. In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled.

Private endpoint user-defined routes support

Private endpoint support for user-defined routes (UDRs) is now generally available. This feature enhancement will remove the need to create a /32 address prefix when defining custom routes. You will now have the ability to use a wider address prefix in the user defined route tables for traffic destined to a private endpoint (PE) by way of a network virtual appliance (NVA). In order to leverage this feature, you will need to set a specific subnet level property, called PrivateEndpointNetworkPolicies, to enabled on the subnet containing private endpoint resources.

Azure Stack

Azure Stack HCI

Azure Stack HCI 22H2: Network ATC improvements

Network ATC can simplify the deployment and on-going management of host networking in Azure Stack HCI. In this article are described all improvements to this component, released with Azure Stack HCI 22H2 update.

Software Defined Networking (SDN) extensions reach General Availability for WAC

SDN Infrastructure, Network Security Groups (NSGs), Logical networks, Virtual Networks, Load Balancers, and Gateways reach General Availability for Windows Admin Center (WAC). SDN Infrastructure’s “Network Controller” tab in WAC now displays information about cluster, server, and node certificates, complete with UI indications that certificate will expire soon. 

Azure IaaS and Azure Stack: announcements and updates (August 2022 – Weeks: 31 and 32)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Azure Dedicated Host restart (preview)

Azure Dedicated Host gives you more control over the hosts you deployed by giving you the option to restart any host. When undergoing a restart, the host and its associated VMs will restart while staying on the same underlying physical hardware. With this new capability, now in preview, you can take troubleshooting steps at the host level.

Azure Dedicated Host support for Ultra SSD (preview)

Currently, VMs running on Azure Dedicated Host support the use of Standard and Premium Azure disks as data disks. With this preview, Microsoft is introducing support for Azure Ultra Disks on Azure Dedicated Host. Azure Ultra disks are highly performant disks on Azure that offer high throughput (maximum of 4000 MBps per disk) and high IOPS (maximum of 160,00 IOPS per disk) depending on the disk size.
If you are running IaaS workloads that are data intensive and latency sensitive, such as Oracle DB, MySQL DB, other critical databases, and gaming applications, you will benefit from using Ultra disks as data disks on VMs hosted on Azure Dedicated Host.

Microsoft Azure available from new cloud region in Qatar

Microsoft is launching a new datacenter region in Qatar. The new datacenter region includes Azure Availability Zones, which offer you additional resiliency for your applications by designing the region with unique physical datacenter locations with independent power, network, and cooling for additional tolerance to datacenter failures.

Enforcement mode of machine configuration (previously guest configuration)

The enforcement mode of machine configuration (previously guest configuration) is now generally available. This represents the ApplyAndMonitor and ApplyAndAutocorrect auditing modes. The customer experience within Azure has not changed as a result of the renaming. Machine configuration continues to provide a native capability to audit or configure operating system settings as code, both for machines running in Azure and hybrid Azure Arc-enabled servers, directly per-machine or at-scale orchestrated through Azure Automanage, Microsoft Defender for Cloud, or Azure Policy.
You will now be able to:

  • Apply and monitor configurations: set the required configuration on your machines and remediate on demand.
  • Apply and autocorrect configurations: set the required configuration at scale and autoremediate in the event of a configuration drift.
  • Apply configurations to machines at management group level.
  • Set TLS 1.2 to machines through our newly released built-in policy.
  • Create, delete, and monitor the compliance of your configurations through the Azure portal.


Azure StorSimple 8000/1200 series will no longer be supported starting 31st December 2022

Support for the following StorSimple versions will end 31st December 2022:
• StorSimple 8000 series – 8100, 8600, 8010, 8020
• StorSimple 1200 Series
• StorSimple Data Manager
• StorSimple Snapshot Manager

The StorSimple service will reach end of life which means the following will no longer be available:
• All cloud management capability (e.g. viewing or updating settings related to volumes, shares, backups, backup policies or installing updates, etc.)
• Access to live data and backups.
• Access to customer support resources (phone, email, web)
• Hardware replacement parts and repair services for StorSimple 8000 series devices
• Software updates for StorSimple 8000 series and 1200 series devices

Microsoft has been expanding the portfolio of Azure Hybrid storage capabilities with new services for data tiering and cloud ingestion, providing more options to customers for storing data in Azure in native formats.


Azure Firewall Premium is now ICSA labs certified

Azure Firewall Premium SKU is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It provides advanced threat protection that meets the needs of highly sensitive and regulated environments and includes Intrusion Prevention System (IPS) and TLS inspection capabilities.
The new Intrusion Prevention System (IPS) certification from ICSA Labs is an important IPS certification, is an addition to existing Firewall certification, from ICSA Labs.
ICSA Labs provides credible third-party testing and certification of security and health IT products, as well as network-connected devices. This includes certification of network intrusion prevention systems.
ICSA Labs Network Intrusion Prevention System (IPS) security certification test cycle includes Azure Firewall protection against exploits aimed at approximately 100 high severity vulnerabilities in enterprise software. Because real world attacks do not happen on a quiescent network, ICSA Labs tests with an appropriate level of background traffic using various mixes of enterprise network traffic. The test included evasion techniques, platform security of the product itself, logging, secure administration, and administrative functions.
Azure Firewall is the first cloud firewall service to attain the ICSA Labs Corporate Certification for both Firewall and IPS services.

Next hop IP support for Route Server

With next hop IP support, you can deploy network virtual appliances (NVAs) behind an Azure Internal Load Balancer (ILB) to acheive key active-passive connectivity scenarios and improve connectivity performance.

Come rafforzare la protezione di rete grazie a Defender for Cloud

In ambito networking Microsoft Azure mette a disposizione una serie di soluzioni, native della piattaforma, che consentono di ottenere un elevato grado di sicurezza se vengono adottate nel modo opportuno. Un importante valore aggiunto per raffinare e rafforzare la security posture della rete è dato da Microsoft Defender for Cloud, in quanto consente di contemplare, mediante funzionalità specifiche, anche determinati aspetti del networking. In questo articolo viene approfondito come Microsoft Defender for Cloud consente di verificare, raggiungere e mantenere una configurazione da best practice del networking di Azure.

Panoramica di Defender for Cloud

La soluzione Microsoft Defender for Cloud mette a disposizione una serie di funzionalità in grado di contemplare due importanti pilastri della sicurezza per le architetture moderne che adottano componenti cloud: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figura 1 – I pilastri della sicurezza contemplati da Microsoft Defender for Cloud

In ambito Cloud Security Posture Management (CSPM) Defender for Cloud è in grado di fornire le seguenti funzionalità:

  • Visibilità: per valutare l’attuale situazione relativa alla sicurezza.
  • Guida all’hardening: per poter migliorare la sicurezza in modo efficiente ed efficace.

Grazie ad un assessment continuo Defender for Cloud è in grado di scoprire continuamente nuove risorse che vengono distribuite e valuta se sono configurate in base alle best practice di sicurezza. In caso contrario, le risorse vengono contrassegnate e si ottiene un elenco prioritario di consigli relativi a ciò che è opportuno correggere per migliorare la loro protezione. Questo processo avviene nello specifico anche per le risorse di rete e le raccomandazioni sono incentrare sulle varie soluzioni in ambito networking come ad esempio: next generation firewall, Network Security Group e JIT VM access. Un elenco completo delle raccomandazioni e delle relative azioni correttive, consigliate da Defender for Cloud per la rete, è possibile consultarlo in questo documento.

Figura 2 – Esempi di raccomandazioni relative al networking

Per quanto concerne l’ambito Cloud Workload Protection (CWP), Defender for Cloud eroga avvisi di sicurezza basati su Microsoft Threat Intelligence. Inoltre, include una ampia gamma di protezioni avanzate ed intelligenti per i workload, fornite tramite piani di Microsoft Defender specifici per le differenti tipologie di risorse presenti nelle subscription ed in ambienti ibridi e multi-cloud.

Le funzionalità specifiche di Defender for Cloud in ambito networking

Per quanto riguarda il networking, Defender for Cloud oltre a fare un assessment continuo delle risorse e a generare eventuali raccomandazioni, include altre funzionalità specifiche:

Figura 3 – Le funzionalità di Microsoft Defender for Cloud in ambito networking

Adaptive network hardening

I Network Security Groups (NSG) sono lo strumento principale per controllare il traffico di rete in Azure, attraverso il quale, tramite delle regole di deny e permit, è possibile filtrate le comunicazioni tra differenti workload attestati sulle virtual network di Azure. Tuttavia, possono esserci delle situazioni in cui il traffico di rete effettivo che attraversa un NSG corrisponde solo ad un sottoinsieme delle regole che sono state definite all’interno del NSG stesso. In questi casi, per migliorare ulteriormente la security posture è possibile perfezionare le regole presenti nei NSG, in base ai modelli di traffico di rete effettivi. La funzionalità di adaptive network hardening di Defender for Cloud verifica proprio questo e genera delle raccomandazioni per rafforzare ulteriormente le regole presenti nei NSG. Per ottenere questo risultato viene utilizzato un algoritmo di machine learning che tiene conto del traffico di rete effettivo, della configurazione presente, dell’intelligence sulle minacce e di altri indicatori di compromissione.

Figura 4 – Raccomandazioni relative alla funzionalità di adaptive network hardening

Network Map

Per monitorare continuamente lo stato di sicurezza della rete, Defender for Cloud mette a disposizione una mappa interattiva che consente di visualizzare graficamente la topologia della rete, includendo consigli e raccomandazioni per fare hardening delle risorse di rete. Inoltre, usando la mappa è possibile controllare le connessioni tra le macchine virtuali e le subnet, fino a valutare se ogni nodo è configurato correttamente dal punto di vista della rete. Andando a controllare come sono collegati i nodi è possibile individuare e bloccare più facilmente le connessioni indesiderate che potrebbero potenzialmente rendere più facile per un utente malintenzionato attaccare la propria rete. Per maggiori informazioni su questa funzionalità è possibile consultare la documentazione ufficiale Microsoft.

Figura 5 – Mappa di rete generata da Defender for Cloud

Per poter usufruire di queste specifiche funzionalità è necessario licenziare il piano Defender for Servers Plan 2.


Una strategia vincente in ambito Azure networking, in grado di supportare anche il modello Zero Trust, la si può ottenere applicando un mix-and-match dei differenti servizi di sicurezza di rete per avere una protezione su più livelli. Al tempo stesso risulta molto utile poter far affidamento alle funzionalità di Defender for Cloud, anche per contemplare gli aspetti legati al networking, che tramite un assessment continuo ed una visibilità approfondita permettono di ottenere ambienti configurati secondo le best practice anche nel corso del tempo.

Azure IaaS and Azure Stack: announcements and updates (July 2022 – Weeks: 29 and 30)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Virtual machine restore points

VM restore points provides you with a point in time snapshot of all the managed disks attached to your Virtual Machine. Customers and Azure partners who are looking to build business continuity and disaster recovery solutions can use VM restore points to capture app consistent and crash consistent backups natively on the Azure platform. This can then be used to restore disks and VMs during scenarios such as data loss, data corruption, or disaster recovery. 

NVads A10 v5 Virtual Machines

NVads A10 v5 virtual machines (VMs) are now generally available in West Europe, South Central US, and West US3 regions. The NVads A10 v5 VM series enables a wide variety of graphics, video, and AI workloads, including virtual production and visual effects, engineering design and simulation, game development and streaming, virtual desktops/workstations and more. They feature NVIDIA A10 Tensor Core GPUs, up to 72 AMD EPYC™ 74F3-series vCPUs, and are designed to offer the right choice for any workload with optimum configurations for both single user and multi-session environments. 

Azure confidential VMs (DCasv5/ECasv5-series VMs)

Azure confidential VMs are designed to offer a new, hardware-based TEE leveraging SEV-SNP, which hardens guest protections to deny the hypervisor and other host management code access to VM memory and state, protecting against operator access. Azure DCasv5/ECasv5 confidential VMs, utilizing 3rd Gen AMD EPYC processors with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features, are available. 

Trusted Launch support for DCsv3 and DCdsv3 series Virtual Machines

Trusted Launch support for DCsv3 and DCdsv3 virtual machines is available. DCsv3 and DCdsv3 series virtual machines provides support for Intel® SGX. With all new hardware-based security paradigm is now just a few clicks away in Azure to deploy DCsv3 virtual machines with trusted launch feature.


Live resize for Premium SSD and Standard SSD Disk Storage

Resizing a disk on Azure can provide increased storage capacity and better performance for your applications. As part of our commitment to continuously add new capabilities to our Azure Disk Storage portfolio, live resize for Premium SSD and Standard SSD Disk Storage is now generally available. With live resize, you can dynamically increase the storage capacity of your Premium SSD and Standard SSD disks without causing any disruption to your applications. To reduce costs, you can start with smaller disks and gradually increase their storage capacity without experiencing any downtime.

Azure Premium SSD v2 Disk Storage (preview)

The next generation of Microsoft Azure Premium SSD Disk Storage is available in preview. This new disk offering provides the most advanced block storage solution designed for a broad range of input/output (IO)-intensive enterprise production workloads that require sub-millisecond disk latencies as well as high input/output operations per second (IOPS) and throughput at a low cost. With Premium SSD v2, you can now provision up to 64TiBs of storage capacity, 80,000 IOPS, and 1,200 MBPS throughput on a single disk. With best-in-class IOPS and bandwidth, Premium SSD v2 provides the most flexible and scalable general-purpose block storage in the cloud, enabling you to meet the ever-growing demands of your production workloads such as SQL Server, Oracle, MariaDB, SAP, Cassandra, Mongo DB, big data, analytics, gaming, on virtual machines, or stateful containers. Moreover, with Premium SSD v2, you can provision granular disk sizes, IOPS, and throughput independently based on your workload needs, providing you more flexibility in managing performance and costs.


TLS 1.3 support on Application Gateway (preview)

The new Predefined and CustomV2 policies on Application Gateway come with TLS v1.3 support. They provide improved security and performance benefits, fulfilling the needs of your enterprise security policies. You may use out-of-the-box predefined policies or configure a preferred cipher-suite list by using the CustomV2 policy.

Azure Stack

Azure Stack HCI

Azure Marketplace for Arc-enabled Azure Stack HCI (preview)

Azure Marketplace for Arc-enabled Azure Stack HCI makes it easy and convenient to download the latest fully patched image to your cluster with just a few clicks in the Azure Portal. This preview focuses on Windows 11 Enterprise multi-session, the image used by Azure Virtual Desktop, and Windows Server 2022 Datacenter Azure Edition, which enables hot-patching (reboot-less patching) for on-premises VMs. More images will follow in the coming months. This preview is available for all in-market Azure Stack HCI.

Remote support for Arc-enabled Azure Stack HCI (preview)

When opening a case, you can now grant Microsoft support engineers remote access to your cluster to gather logs of perform remediation steps themselves. This reduces the back-and-forth that’s typical with on-premises support. New PowerShell cmdlets and Windows Admin Center tools let you precisely control and audit the access that support engineers get, including time limits, allow-listing cmdlets, and comprehensive auditing that’s always on.

Arc-enabled guest VMs with extensions for Azure Stack HCI (preview)

When you deploy a new virtual machine through Azure Arc onto Azure Stack HCI, the guest operating system is now automatically enrolled as an Arc-enabled server instance. This means you can use popular VM extensions like Custom Script to perform configuration inside the VM (like installing an application) as part of VM deployment. To illustrate the usefulness of this capability, Microsoft is providing a sample custom script extension that enrolls a VM into an Azure Virtual Desktop session host pool, eliminating manual configuration of the guest agent as its own step. This preview is available for all in-market Arc-enabled Azure Stack HCI.

Azure Stack HCI version 22H2 (preview)

The operating system at the heart of Azure Stack HCI gets a major update with new features and enhancements every year. Next month, the first significant preview of version 22H2 will become available to clusters enrolled in the public Preview channel. Like version 21H2, the new version 22H2 will be available as a free, non-disruptive, over-the-air update for all subscribers when it reaches general availability later this year. Content-wise, the update is focused on fundamental improvements to the core hypervisor, storage, and networking.

Storage replication in stretch clusters is faster, and you can convert existing volumes from fixed provisioning to thin provisioning.

Network ATC has gained new abilities, including automatic IP addressing for storage networks, support for stretch clusters, and better network proxy support.

Hyper-V live migration is faster and more reliable for switchless 2-node and 3-node clusters.

And for new installations, version 22H2 starts with a stronger default security posture, including a stronger set of protocols and cipher suites, Secured-Core Server, Windows Defender application control, and other well-known security features enabled by default right from the start.

Azure Stack Hub

Azure Well-Architected Framework Assessments (preview)

Two pillars of the Well-Architected Framework are available in Preview for Azure Stack Hub on the Microsoft Assessment Platform: Reliability and Operational Excellence. If you are using Azure Stack Hub to deploy and operate workloads for key business systems, it is now possible to answers questions for these pillars within the assessments platform. After completing the assessments, you will be provided with a maturity or risk score, together with prescriptive guidance and knowledge links that suggest possible improvements you could make to your architecture design and score.

Azure IaaS and Azure Stack: announcements and updates (July 2022 – Weeks: 27 and 28)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Ephemeral OS disk support for confidential virtual machines (preview)

The support to create confidential VMs using Ephemeral OS disks is available. This enables customers using stateless workloads to benefit from the trusted execution environments (TEEs). Trusted execution environments protect data being processed from access outside the trusted execution environments.

Azure Archive Storage now available in South Africa North

Azure Archive Storage provides a secure, low-cost means for retaining rarely accessed data including backup and archival storage. Now, Azure Archive Storage is available in South Africa North.

Azure Active Directory authentication for exporting and importing Managed Disks (preview)

Azure already supports disk import and export locking only from a trusted Azure Virtual Network (VNET) using Azure Private Link. For greater security, Microsoft is launching the integration with Azure Active Directory (AD) to export and import data to Azure Managed Disks. This feature enables the system to validate the identity of the requesting user in Azure AD and verify that the user has the required permissions to export and import that disk. 


Azure Gateway Load Balancer

Gateway Load Balancer is a fully managed service enabling you to deploy, scale, and enhance the availability of third party network virtual appliances (NVAs) in Azure. You can add your favorite third-party appliance whether it is a firewall, inline DDoS appliance, deep packet inspection system, or even your own custom appliance into the network path transparently.
With Gateway Load Balancer, you can easily add or remove advanced network functionality without additional management overhead. It provides bump-in-the-wire technology that ensures all traffic heading to a public endpoint is sent to an appliance before it reaches an application. Gateway Load Balancer supports flow symmetry and source IP preservation. As a result, packets traverse the same network path in both directions, enabling stateful appliances, and your traffic remains transparent to both your appliances and your application.
Gateway Load Balancer is now generally available in all public regions, Azure China cloud regions, and Azure Government cloud regions.

Azure IaaS and Azure Stack: announcements and updates (July 2022 – Weeks: 25 and 26)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Create an additional 5000 Azure Storage accounts within your subscription (preview)

Azure Storage is announcing public preview of the ability to create an additional 5000 Azure Storage accounts per subscription per region. This is a 20 times increase from the current limit of 250 and helps you create several hundred or thousand storage accounts to address your storage needs within a single subscription, instead of creating additional subscriptions.

Azure Stack

Azure Stack HCI

Network ATC is now publicly available with Azure Stack HCI 21H2

If you’ve deployed Azure Stack HCI previously, you know that network deployment can pose a significant challenge. You might be asking yourself:

  • How do I configure or optimize my adapter?
  • Did I configure the virtual switch, VMMQ, RDMA, etc. correctly?
  • Are all nodes in the cluster the same?
  • Are we following the best practice deployment models?
  • (And if something goes wrong) What changed!?

So, what does Network ATC actually set out to solve? Network ATC can help:

  • Reduce host networking deployment timecomplexity, and errors
  • Deploy the latest Microsoft validated and supported best practices
  • Ensure configuration consistency across the cluster
  • Eliminate configuration drift

Network ATC does this through some new concepts, namely “intent-based” deployment. If you tell Network ATC how you want to use an adapter, it will translate, deploy, and manage the needed configuration across all nodes in the cluster. 

Azure IaaS and Azure Stack: announcements and updates (June 2022 – Weeks: 23 and 24)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Trusted launch support for virtual machines using Ephemeral OS disks

Trusted launch virtual machine (VM) support for VMs using Ephemeral OS disks improves the security of generation 2 VMs in Azure.


Azure NetApp Files datastores for Azure VMware Solution (preview)

The public preview of Azure NetApp Files datastores for Azure VMware Solution (AVS) is available. This new integration between Azure VMware Solution and Azure NetApp Files will enable you to create datastores via the Azure VMware Solution resource provider with Azure NetApp Files NFS volumes and mount the datastores on your private cloud clusters of choice. Along with the integration of Azure disk pools for Azure VMware Solution, this will provide more choice to scale storage needs independently of compute resources. For your storage-intensive workloads running on Azure VMware Solution, the integration with Azure NetApp Files helps to easily scale storage capacity beyond the limits of the local instance storage for AVS provided by vSAN and lower your overall total cost of ownership for storage-intensive workloads.

Azure NetApp Files: feature general availability and feature expansion of regional availability

To meet the demanding requirements of enterprise mission-critical workloads, new features are constantly added to Azure NetApp Files and previously released preview features are moved into general availability. The following capabilities are recently generally available and no longer need registration for use: AES encryption for AD authentication, Backup policy users, Administrators privilege users, and Dynamic change of service level. Additionally, feature regional coverage continues to expand for Azure NetApp Files cross-region replication. The following are the cross-region replication region pair additions: Brazil South and South Central US, West US 3 and East US, Australia Central and Australia Central 2, France Central and West Europe. Also, regional coverage has expanded for Azure NetApp Files for standard network features. The following regions are standard network feature additions: Australia Central, Australia Central 2, Australia Southeast, East US 2, France Central, Germany West Central, North Europe, West Europe, West US 2, and UK South.


Azure Firewall updates

The following updates are available for Azure Firewall:

  • Intrusion Detection and Prevention System (IDPS) signatures lookup 
  • TLS inspection (TLSi) Certification Auto-Generation 
  • Web categories lookup 
  • Structured Firewall Logs 
  • IDPS Private IP ranges (preview)

Azure WAF policy and DDoS management in Azure Firewall Manager

Azure Firewall Manager now supports managing DDoS Protection Plans for virtual networks and Azure Web Application Firewall (Azure WAF) policies for application delivery platforms: Azure Front Door and Azure Application Gateway.

Azure Virtual Network Manager in nine new regions (preview)

Azure Virtual Network Manager helps you create your desired topologies like hub and spoke and mesh with just a few clicks. The security admin rules feature allows you to enforce security policies throughout your organization. You can create an Azure Virtual Network Manager instance in nine more regions and manage your virtual networks at scale across regions, subscriptions, management groups, and tenants globally from a single pane of glass.

Private link support in Azure Application Gateway (preview)

With private link support, incoming traffic to an Azure Application Gateway frontend can be secured to clients running in another Azure Virtual Network, Azure subscription, or Azure subscription linked to a different Azure Active Directory tenant through Azure Private Link. Traffic between private endpoints in your virtual network and your Application Gateway will traverse a secure and private connection.

ExpressRoute IPv6 Support for Global Reach (preview)

IPv6 support for Global Reach unlocks connectivity between on-premise networks, via the Microsoft backbone, for customers with dual-stack workloads. Establish Global Reach connections between ExpressRoute circuits using IPv4 subnets, IPv6 subnets, or both. This configuration can be done using Azure Portal, PowerShell, or CLI.

Network Watcher packet capture support for virtual machine scale sets (preview)

Azure Network Watcher packet capture announces support for virtual machines scale sets. This is as an out of the box, on-demand capability, enabling faster diagnostics and troubleshooting of networking issues.

Connection Monitor Support for virtual machine scale sets

Azure Network Watcher Connection Monitor announces support for virtual machine scale sets which enables faster performance monitoring and network troubleshooting through connectivity checks.

ExpressRoute Direct and Circuit in different subscriptions (preview)

Generate an authorization for the ExpressRoute Direct resource and redeem the authorization to create an ExpressRoute Circuit in a different subscription and/or Azure Active Directory Tenant. This feature is currently available in public preview.

Azure IaaS and Azure Stack: announcements and updates (June 2022 – Weeks: 21 and 22)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



DCsv3 and DCdsv3 series Virtual Machines

Confidential computing DCsv3 and DCdsv3-series virtual machines (VMs) are generally available.

Switzerland North Availability Zones

Availability Zones in Switzerland North are made up of three unique, physically separated, locations or “zones” within a single region which bring higher availability and asynchronous replication across Azure regions for disaster recovery protection. Availability Zones give you additional options for high availability for your most demanding applications and services as well as confidence and protection from potential hardware and software failures.

Azure Ebsv5 now available in 13 additional regions

Azure Virtual Machines Ebsv5 and Ebdsv5 are now available in 13 additional regions: South Africa North, France Central, Central India, Korea Central, Germany West Central, UK West, South India, Canada East, Australia Central, Japan West, Switzerland North, Norway East and UAE North.

Azure NC A100 v4 virtual machines for AI

Azure NC A100 v4 series virtual machines (VMs) are now generally available in US East 2, US East, Southeast Asia, and West Europe. These VMs, powered by NVIDIA A100 80GB Tensor Core PCIe GPUs and 3rd Gen AMD EPYC™ Milan processors, improve the performance and cost-effectiveness of a variety of GPU performance-bound real world AI training and inferencing workloads. 


Storage optimized Azure VMs deliver higher performance for data analytics

Microsoft is announcing the general availability of new storage optimized Azure Virtual Machines. The new Lasv3 and Lsv3 VM series have been engineered to run workloads that require high throughput and high IOPS, including big data applications, SQL and NoSQL databases, distributed file systems, data analytics engines, and more. 


Azure Bastion IP based connection

Azure Bastion now supports connectivity to Azure virtual machines or on-premises resources via specified IP address. When IP based connection feature is enabled, Azure Bastion can be used to RDP/SSH into an on-premises resource over ExpressRoute and Site-to-Site VPN.

Manage Azure Web Application Firewall policies in Azure Firewall Manager (preview)

Azure Firewall Manager now supports Azure Web Application Firewall (Azure WAF) policies for application delivery platforms, Azure Front Door, and Azure Application Gateway.

Enhanced IPv6 functionality for MultiValue profiles in Azure Traffic Manager

Azure Traffic Manager now enables you to specify minimum children property separately for IPv4 and IPv6 endpoints for MultiValue profiles.

Azure Private Link support in Azure API Management

With Azure Private Link support in Azure API Management, you can now integrate clients in a virtual network privately.

Azure Stack

Azure Stack HCI single-node

At Build 2022, Microsoft announces the new single-node offering that provides additional options for business scenarios with different requirements.  The new single-node Azure Stack HCI fulfills growing hybrid infrastructure needs in remote locations while maintaining the innovation of native integration with Azure Arc. Specifically, this new configuration offers flexibility to deploy the stack in smaller spaces and with less processing needs, optimizing resources while still delivering quality and consistency. 

Additional benefits of Azure Stack HCI single-node include:

  • Smaller Azure Stack HCI solutions for environments with physical space constraints or that don’t require built-in resiliency, like retail stores and branch offices.
  • A smaller footprint reduces hardware and operational costs. 
  • Solutions can be built to scale, ranging from single-node up to 16 nodes if needed.

Azure IaaS and Azure Stack: announcements and updates (May 2022 – Weeks: 17 and 18)

This series of blog posts includes the most important announcements and major updates regarding Azure infrastructure as a service (IaaS) and Azure Stack, officialized by Microsoft in the last two weeks.



Azure Lab Services April 2022 update (preview)

IT departments, administrators, educators, and students can utilize the following updated features in Azure Lab Services:

  • Enhanced lab creation and improved backend reliability
  • Access performance
  • Extended virtual network support
  • Easier labs administration via new roles
  • Improved cost tracking via Azure Cost Management service
  • Availability of PowerShell module
  • .NET API SDK for advanced automation and customization
  • Integration with Canvas learning management system


Azure File Sync agent v15 

Azure File Sync agent v15 is available and it’s now on Microsoft Update and Microsoft Download Center.

Improvements and issues that are fixed:

  • Reduced transactions when cloud change enumeration job runs
  • View Cloud Tiering status for a server endpoint or volume
  • New diagnostic and troubleshooting tool
  • Immediately run server change enumeration to detect files changes that were missed by USN journal
  • Miscellaneous improvements

More information about this release:

  • This release is available for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022 installations.
  • A restart is required for servers that have an existing Azure File Sync agent installation if the agent version is less than version 12.0.
  • The agent version for this release is
  • Installation instructions are documented in KB5003882.

Object replication on premium blob storage and rule limit increased

Object replication now supports premium block blobs to replicate your data from your blob container in one storage account to another anywhere in Azure. The destination storage account can be a premium block blob or a general-purpose v2 storage account.

You can also specify up to 1000 replication rules (increased from 10) for each replication policy for both general-purpose v2 and premium block blob storage accounts.  

Object replication unblocks a set of common replication scenarios for block blobs: 

  • Minimize latency: have your users consume the data locally rather than issuing cross-region read requests.  
  • Increase efficiency: have your compute clusters process the same set of objects locally in different regions. 
  • Optimize data distribution: have your data consolidated in a single location for processing/analytics and then distribute only resulting dashboards to your offices worldwide. 
  • Optimizing costs: after your data has been replicated, you can reduce costs by moving it to the archive tier using life cycle management policies. 


Controls to block domain fronting behavior on customer resources

Effective April 29, 2022,you will be able to stop allowing domain fronting behavior on your Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources in alignment with Microsoft’s commitment to secure the approach to domain fronting within Azure.

Virtual Network NAT health checks available via Resource Health

Virtual Network NAT (VNet NAT) is a fully managed and highly resilient network address translation (NAT) service. With Virtual Network NAT, you can simplify your outbound connectivity for virtual networks without worrying about the risk of connectivity failures from port exhaustion or your internet routing configurations.

Support for Resource Health check with Virtual Network NAT helps you monitor the health of your NAT gateway as well as diagnose or troubleshoot outbound connectivity. 

With Azure Resource Health, you can: 

  • View a personalized dashboard of the health of your NAT gateway 

  • Set up customizable resource health alerts to notify you in near real-time of when the health status of your NAT gateway changes 

  • See the current and past health history of your NAT gateway to help you mitigate issues 

  • Access technical support when you need help with Azure services, such as diagnosing and solving issues 

Virtual Network NAT Resource Health is available in all Azure public regions, Government cloud regions, and China Cloud regions. 

Enhancements to Azure Web Application Firewall

Microsoft offers two options, global WAF integrated with Azure Front Door and regional WAF integrated with Azure Application Gateway, for deploying Azure WAF for your applications and APIs.

On March 29, Microsoft announced the general availability of managed Default Rule Set 2.0 with anomaly scoring, Bot Manager 1.0, and security reports on global WAF. Additional features on regional WAF are available, that offer you better security, improved scale, easier deployment, and better management of your applications and APIs:

  • Reduced false positives with Core Rule Set 3.2 integrated with Azure Application Gateway. The older CRS 2.2.9 ruleset is being phased out in favor of the newer rulesets.
  • Improved performance and scale with the next generation of WAF engine, released with CRS 3.2
  • Increased size limits on regional WAF for body inspection up to 2MB and file upload up to 4GB
  • Advanced customization with per rule exclusion and attribute by names support on regional WAF
  • Native consistent experience with WAF policy, new deployments of Application Gateway v2 WAF SKU now natively utilizes WAF policies instead of configuration
  • Advanced analytics capabilities with new Azure Monitor metrics on regional WAF